Class vs Instance subjects about access-granted HOT 7 OPEN

Personally I go with a separate permission to mean reading generic lists, like :list or :index

from access-granted.

Oops, I just realized it could get even worse though.

I realized it could get even worse though….

I get an exception now because Post.published is not a method… but what if it was a method, a scope for fetching published posts! That actually is a frequent convention… Post.published.where(title: foo).

Then the access_granted would decide that ordinary users could :read, Post because Post.published would return something other than false or nil. (It would return an ActiveRecord relation).

Maybe I'm just trying to be too clever -- any given permission should always only be used with a class object (as in :create examples) or only with instance objects (as in your :update examples).

It makes the :manage shortcut a bit tricker to use if you are ever adding conditions, since it includes :create conventionally used with Class as well as the others with instances. Oh well, it's just a shortcut.

and then whatever, I just need to create a new permission :can_read_all_posts or something that only applies to admin.

I'm not sure?

from access-granted.

I would not worry about the :manage shortcut, it's basically just something I reused from Cancan for easier management - but in retrospect I am not too fond about it. I'd be okay with getting rid of it

from access-granted.

Yeah, the manage shortcut just made things even more obvious, but even without it, I was hoping I could do:

    role :admin, { role: "admin" } do
      can :read, Post
    end

    role :user do
      can :read, Post, { published: true }
    end

And then ask both:

• can? :read, an_individual_post
• can? :read, Post # meaning can they read all posts, generally?

but of course I can't.

Do you have a pattern to recommend when I have a policy like above, but sometimes need to answer "Should I show the button for show unpublished posts, are they allowed to see them generally?"

from access-granted.

Thanks that's helpful. In this case it's not a permission for "reading lists", but specifically for reading lists including unpublished records. We can easily filter the records already, just:

filtered = records.collect { |r| can? :read, r }

So there are people looking at the list view that can see unpublished records, and others that can't see unpublisehd records. Same list view. We filter the records.

But then we have some UI elements on the list view that only apply to people who can see unpublished records...

but I guess a separate permission is the way to go, maybe

can :list_unpublished, Posts

It's annoying to me, because it is really duplicate information, it really duplicates:

can :read, Posts # with no conditions, unlike other roles that have conditions, published-only

But I guess that's just the way it is, no big deal.

from access-granted.

Thanks for going into detail with the example, really helpful!

Yeah if you have some UI elements that don't relate to specific object of a model then sadly, you most likely need a separate permission to separate them.

I didn't really want to include the AR integration and the ability to filter records because I found those to be messy at the time, but maybe something more generic could work (your example with the published class method).

In regards to being too clever another possibility would be to have can be used like this:

# policy
can :read, Post do |record, user|
  if record.is_a?(Class)
    user.admin?
  else
    record.published? || user.admin?
  end
end

Then in your UI you could do

if can? :read, Post

around the button to show all posts.

It looks explicit but should handle both cases. Though I am writing that from the top of my head so I am not entirely sure we allow passing blocks like that for non-instance can method calls. I'll give it a try :)

from access-granted.

I agree no specific AR-integration needs to be provided by access-granted, the API already present is fine and lets us easily filter whatever we want.

Still mulling over these suggestions, thanks! if can? :read, Post is what I tried first, on the analogy of can? :create, Post in the docs -- but the issue is that doesn't work when this is my policy:

    role :admin, { role: "admin" } do
      can :read, Post
    end

    role :user do
      can :read, Post, { published: true }
    end

In that case, asking can? :read, Post results in undefined method 'published' for Post:Class. Since the {published: true} check is there for asking can? :read, specific_post_obj.

from access-granted.